@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/{lib → src/shared/lib}/signing.js

@@ -11,6 +11,9 @@ import { timingSafeEqual } from "./crypto";
  */
 export function hmacSign(data, secret) {
     const key = Array.isArray(secret) ? secret[0] : secret;
+    if (!key) {
+        throw new Error("hmacSign: secret key must be a non-empty string");
+    }
     return createHmac("sha256", key).update(data).digest("hex");
 }
 /**
@@ -26,14 +29,21 @@ export function hmacSign(data, secret) {
  */
 export function hmacVerify(data, sig, secret) {
     const keys = Array.isArray(secret) ? secret : [secret];
+    if (keys.length === 0)
+        return false;
     for (const key of keys) {
+        if (!key)
+            continue;
         const expected = createHmac("sha256", key).update(data).digest("hex");
         try {
             if (timingSafeEqual(expected, sig))
                 return true;
         }
         catch {
-            // timingSafeEqual can throw on length mismatch with multi-byte chars
+            // timingSafeEqual (src/lib/crypto.ts) handles length mismatches itself:
+            // it returns false rather than throwing, so this catch block is never
+            // reached under normal conditions. It is kept as a defensive no-op in
+            // case the underlying implementation changes in the future.
         }
     }
     return false;
@@ -106,17 +116,35 @@ export function verifyCursor(cursor, secret) {
 // ---------------------------------------------------------------------------
 // Presigned URLs
 //
-// Signing data = method + "\n" + key + "\n" + exp
+// Signing data = method + "\n" + key + "\n" + exp + "\n" + sortedParams
 // Newline delimiter is safe: keys like "uploads/2024/photo.jpg" contain dots
 // but cannot contain newlines; method and exp never contain newlines.
 // Using "." would create ambiguity with keys containing dots.
+//
+// Extra params are included in the HMAC so that an attacker cannot modify,
+// add, or remove query parameters without invalidating the signature.
+// sortedParams is always present (empty string when no extra params) so the
+// "\n" delimiter is consistent — prevents length-extension confusion.
 // ---------------------------------------------------------------------------
+/**
+ * Serialize extra params for inclusion in the HMAC signing string.
+ * Keys are sorted, then each key and value are percent-encoded (encodeURIComponent)
+ * and joined as "key=value&key2=value2". Returns "" when params is empty/undefined.
+ */
+function serializeExtraParams(params) {
+    if (!params || Object.keys(params).length === 0)
+        return "";
+    return Object.keys(params)
+        .sort()
+        .map((k) => `${encodeURIComponent(k)}=${encodeURIComponent(params[k])}`)
+        .join("&");
+}
 /**
  * Create a stateless HMAC-signed URL. The signature covers the HTTP method,
- * storage key, and expiry timestamp so that:
+ * storage key, expiry timestamp, and any extra query params so that:
  *  - Expired URLs are rejected (replay prevention)
  *  - URLs are method-bound (a GET URL can't be replayed as a PUT)
- *  - Tampering with the key or expiry invalidates the signature
+ *  - Tampering with the key, expiry, or any extra param invalidates the signature
  *
  * @param base   Base URL string (e.g. "https://api.example.com/uploads/presign")
  * @param key    Storage object key
@@ -126,7 +154,8 @@ export function verifyCursor(cursor, secret) {
 export function createPresignedUrl(base, key, opts, secret) {
     const exp = Math.floor(Date.now() / 1000) + opts.expiry;
     const method = opts.method.toUpperCase();
-    const data = `${method}\n${key}\n${exp}`;
+    const sortedParams = serializeExtraParams(opts.extra);
+    const data = `${method}\n${key}\n${exp}\n${sortedParams}`;
     const sig = hmacSign(data, secret);
     const url = new URL(base);
     url.searchParams.set("key", key);
@@ -163,11 +192,7 @@ export function verifyPresignedUrl(url, method, secret) {
         return null;
     // Expiry check
     const expNum = parseInt(exp, 10);
-    if (isNaN(expNum) || expNum < Math.floor(Date.now() / 1000))
-        return null;
-    // Signature check
-    const data = `${urlMethod}\n${key}\n${exp}`;
-    if (!hmacVerify(data, sig, secret))
+    if (!isFinite(expNum) || expNum < Math.floor(Date.now() / 1000))
         return null;
     // Collect extra params (all except reserved ones)
     const reserved = new Set(["key", "exp", "sig", "method"]);
@@ -176,5 +201,10 @@ export function verifyPresignedUrl(url, method, secret) {
         if (!reserved.has(k))
             extra[k] = v;
     }
+    // Signature check — includes extra params so tampering is detected
+    const sortedParams = serializeExtraParams(Object.keys(extra).length > 0 ? extra : undefined);
+    const data = `${urlMethod}\n${key}\n${exp}\n${sortedParams}`;
+    if (!hmacVerify(data, sig, secret))
+        return null;
     return Object.keys(extra).length > 0 ? { key, extra } : { key };
 }

package/dist/src/testing.d.ts

@@ -0,0 +1,34 @@
+import type { BunshotEventBus } from '../packages/bunshot-core/src/index.js';
+import type { CreateServerConfig } from './server';
+export { resetMetrics } from './framework/lib/metrics';
+export interface E2EServerHandle {
+    server: ReturnType<typeof Bun.serve>;
+    baseUrl: string;
+    wsUrl: string;
+    url: string;
+    bus: BunshotEventBus;
+    stop(): void;
+    cleanup(): Promise<void>;
+}
+/**
+ * Create an E2EServerHandle from a pre-built Hono app.
+ * HTTP-only — cannot be used for WS upgrade flows.
+ */
+export declare function wrapAppAsTestServer(app: {
+    fetch: (...args: any[]) => any;
+}): E2EServerHandle;
+/**
+ * Full test server — calls createServer(). Required for WS E2E, heartbeat,
+ * transport, and any Bun.serve()-level behavior.
+ */
+export declare function createTestFullServer(config?: Partial<CreateServerConfig>): Promise<E2EServerHandle>;
+/**
+ * Lightweight cookie jar for E2E tests.
+ * fetch() doesn't auto-handle Set-Cookie — this helper accumulates
+ * Set-Cookie headers and injects Cookie on subsequent requests.
+ */
+export declare function createCookieJar(): {
+    absorb: (response: Response) => void;
+    header: () => Record<string, string>;
+    clear: () => void;
+};

package/dist/src/testing.js

@@ -0,0 +1,93 @@
+import { getContext } from '../packages/bunshot-core/src/index.js';
+import { createServer, getServerContext } from './server';
+export { resetMetrics } from './framework/lib/metrics';
+/**
+ * Create an E2EServerHandle from a pre-built Hono app.
+ * HTTP-only — cannot be used for WS upgrade flows.
+ */
+export function wrapAppAsTestServer(app) {
+    const server = Bun.serve({ port: 0, fetch: app.fetch });
+    const baseUrl = `http://localhost:${server.port}`;
+    const wsUrl = `ws://localhost:${server.port}`;
+    const ctx = getContext(app);
+    const bus = ctx.bus;
+    return {
+        server,
+        baseUrl,
+        wsUrl,
+        url: baseUrl,
+        bus,
+        stop: () => server.stop(true),
+        cleanup: async () => server.stop(true),
+    };
+}
+/**
+ * Full test server — calls createServer(). Required for WS E2E, heartbeat,
+ * transport, and any Bun.serve()-level behavior.
+ */
+export async function createTestFullServer(config) {
+    const fullConfig = {
+        routesDir: '.',
+        app: { name: 'E2E Test App' },
+        db: {
+            mongo: false,
+            redis: false,
+            sessions: 'memory',
+            cache: 'memory',
+            auth: 'memory',
+        },
+        security: {
+            rateLimit: { windowMs: 60_000, max: 1000 },
+        },
+        logging: { onLog: () => { } },
+        port: 0,
+        ...config,
+    };
+    const server = await createServer(fullConfig);
+    const baseUrl = `http://localhost:${server.port}`;
+    const wsUrl = `ws://localhost:${server.port}`;
+    const ctx = getServerContext(server);
+    const bus = ctx.bus;
+    return {
+        server,
+        baseUrl,
+        wsUrl,
+        url: baseUrl,
+        bus,
+        stop: () => server.stop(true),
+        cleanup: async () => server.stop(true),
+    };
+}
+/**
+ * Lightweight cookie jar for E2E tests.
+ * fetch() doesn't auto-handle Set-Cookie — this helper accumulates
+ * Set-Cookie headers and injects Cookie on subsequent requests.
+ */
+export function createCookieJar() {
+    const cookies = new Map();
+    function absorb(response) {
+        const setCookie = response.headers.get('set-cookie');
+        if (!setCookie)
+            return;
+        const parts = setCookie.split(/,(?=[^ ])/);
+        for (const part of parts) {
+            const [kv] = part.trim().split(';');
+            const eq = kv.indexOf('=');
+            if (eq === -1)
+                continue;
+            const name = kv.slice(0, eq).trim();
+            const value = kv.slice(eq + 1).trim();
+            cookies.set(name, value);
+        }
+    }
+    function header() {
+        if (cookies.size === 0)
+            return {};
+        const value = [...cookies.entries()].map(([k, v]) => `${k}=${v}`).join('; ');
+        return { cookie: value };
+    }
+    function clear() {
+        cookies.clear();
+    }
+    return { absorb, header, clear };
+}

package/package.json

@@ -1,6 +1,9 @@
 {
   "name": "@lastshotlabs/bunshot",
-  "version": "0.0.25",
+  "workspaces": [
+    "packages/*"
+  ],
+  "version": "0.0.28",
   "description": "Batteries-included Bun + Hono API framework — auth, sessions, rate limiting, WebSocket, queues, and OpenAPI docs out of the box",
   "repository": {
     "type": "git",
@@ -16,57 +19,86 @@
     "websocket",
     "openapi"
   ],
-  "module": "dist/index.js",
-  "types": "dist/index.d.ts",
+  "type": "module",
+  "module": "dist/src/index.js",
+  "types": "dist/src/index.d.ts",
   "exports": {
     ".": {
-      "import": "./dist/index.js",
-      "types": "./dist/index.d.ts"
+      "import": "./dist/src/index.js",
+      "types": "./dist/src/index.d.ts"
     },
     "./mongo": {
-      "import": "./dist/entrypoints/mongo.js",
-      "types": "./dist/entrypoints/mongo.d.ts"
+      "import": "./dist/src/entrypoints/mongo.js",
+      "types": "./dist/src/entrypoints/mongo.d.ts"
     },
     "./redis": {
-      "import": "./dist/entrypoints/redis.js",
-      "types": "./dist/entrypoints/redis.d.ts"
+      "import": "./dist/src/entrypoints/redis.js",
+      "types": "./dist/src/entrypoints/redis.d.ts"
     },
     "./queue": {
-      "import": "./dist/entrypoints/queue.js",
-      "types": "./dist/entrypoints/queue.d.ts"
+      "import": "./dist/src/entrypoints/queue.js",
+      "types": "./dist/src/entrypoints/queue.d.ts"
+    },
+    "./testing": {
+      "import": "./dist/src/testing.js",
+      "types": "./dist/src/testing.d.ts"
     },
     "./docs/*": "./docs/sections/*"
   },
   "bin": {
-    "bunshot": "./dist/cli.js"
+    "bunshot": "./dist/cli/index.js"
   },
   "files": [
     "dist",
-    "docs/sections"
+    "docs/sections",
+    ".oclif.manifest.json"
   ],
+  "oclif": {
+    "bin": "bunshot",
+    "dirname": "bunshot",
+    "commands": "./dist/cli/commands",
+    "topicSeparator": " "
+  },
   "scripts": {
-    "build": "tsc -p tsconfig.build.json && tsc-alias -p tsconfig.build.json && bun build src/cli.ts --outdir dist --minify --target bun",
+    "typecheck": "bun --filter '*' run typecheck",
+    "typecheck:root": "tsc --noEmit",
+    "build": "tsc -p tsconfig.build.json && tsc-alias -p tsconfig.build.json && tsup --config tsup.cli.config.ts && oclif manifest",
     "prepublishOnly": "bun run build",
     "release": "npm version patch && npm publish",
     "dev": "bun --watch src/index.ts",
     "start": "bun src/index.ts",
-    "readme": "bun docs/build-readme.ts",
-    "readme:npm": "bun docs/build-readme.ts npm",
-    "test": "bun test tests/unit tests/integration && bun test tests/isolated/optional-deps.test.ts && bun test tests/isolated/jwt-secret.test.ts && bun test tests/isolated/queue.test.ts tests/isolated/jobs-router.test.ts && bun test tests/isolated/queued-deletion.test.ts",
-    "test:isolated": "bun test tests/isolated/optional-deps.test.ts && bun test tests/isolated/jwt-secret.test.ts && bun test tests/isolated/queue.test.ts tests/isolated/jobs-router.test.ts && bun test tests/isolated/queued-deletion.test.ts",
-    "test:coverage": "bun test --coverage tests/unit tests/integration",
+    "test": "bun test tests/unit tests/integration && bun run test:isolated && bun test --config packages/bunshot-core/bunfig.toml packages/bunshot-core/tests && bun test --config packages/bunshot-permissions/bunfig.toml packages/bunshot-permissions/tests",
+    "test:isolated": "bun test tests/isolated/config-lock.test.ts tests/isolated/memoryCache.test.ts tests/isolated/zodToMongoose.test.ts && bun test tests/isolated/optional-deps.test.ts && bun test tests/isolated/jwt-signing-singleton.test.ts && bun test tests/isolated/csrf-signing-singleton.test.ts && bun test tests/isolated/auth0Access.test.ts && bun test tests/isolated/queue.test.ts tests/isolated/jobs-router.test.ts && bun test tests/isolated/queued-deletion.test.ts && bun test tests/isolated/bullmq-adapter-durable.test.ts && bun test tests/isolated/passkey-e2e.test.ts",
+    "test:coverage": "bun test --coverage tests/unit tests/integration --config bunfig.ci.toml && bun test --coverage --config packages/bunshot-core/bunfig.toml packages/bunshot-core/tests && bun test --coverage --config packages/bunshot-permissions/bunfig.toml packages/bunshot-permissions/tests",
+    "test:coverage:check": "bun run test:coverage && bun scripts/check-coverage.ts",
     "test:docker:up": "docker compose -f docker-compose.test.yml up -d --wait",
     "test:docker:down": "docker compose -f docker-compose.test.yml down",
     "test:docker": "bun test --config bunfig.docker.toml tests/docker/",
-    "test:all": "bun test tests/unit tests/integration && bun run test:docker",
-    "test:coverage:full": "bun run test:docker:up && bun test --coverage --config bunfig.ci.toml tests/unit tests/integration tests/docker; bun run test:docker:down"
+    "test:e2e": "bun run test:docker:up && bun test --config bunfig.e2e.toml tests/e2e/; bun run test:docker:down",
+    "test:e2e:ci": "bun test --config bunfig.e2e.toml tests/e2e/",
+    "test:e2e:sqlite": "TEST_BACKEND=sqlite bun run test:e2e:ci",
+    "test:e2e:mongo": "TEST_BACKEND=mongo bun run test:e2e:ci",
+    "test:e2e:postgres": "TEST_BACKEND=postgres bun run test:e2e:ci",
+    "test:all": "bun test tests/unit tests/integration && bun run test:docker:up && bun test --config bunfig.docker.toml tests/docker/ && bun test --config bunfig.e2e.toml tests/e2e/; bun run test:docker:down",
+    "test:coverage:full": "bun run test:docker:up && bun test --coverage --config bunfig.ci.toml tests/unit tests/integration tests/docker; bun run test:docker:down",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "lint:deps": "depcruise packages/ --config .dependency-cruiser.cjs",
+    "docs:dev": "cd packages/docs && npx astro dev",
+    "docs:build": "cd packages/docs && npx astro build",
+    "docs:preview": "cd packages/docs && npx astro preview",
+    "docs:api": "bun packages/docs/generate-api.ts"
   },
   "dependencies": {
     "@asteasolutions/zod-to-openapi": "^8.4.1",
     "@hono/zod-openapi": "1.2.2",
+    "@lastshotlabs/bunshot-auth": "0.1.0",
+    "@lastshotlabs/bunshot-core": "0.1.0",
+    "@oclif/core": "^4.10.2",
     "@scalar/hono-api-reference": "0.10.0",
     "arctic": "^3.7.0",
-    "jose": "6.2.0"
+    "jose": "6.2.0",
+    "samlify": "^2.8"
   },
   "peerDependencies": {
     "hono": ">=4.12 <5",
@@ -107,18 +139,23 @@
     }
   },
   "devDependencies": {
+    "@simplewebauthn/server": "^13.1.1",
+    "@trivago/prettier-plugin-sort-imports": "^6.0.2",
     "@types/bun": "1.3.10",
     "bullmq": "^5.70.4",
+    "dependency-cruiser": "^17.3.9",
     "hono": ">=4.12",
     "ioredis": "5.10.0",
     "mongoose": "9.2.4",
+    "oclif": "^4.22.96",
     "otpauth": "^9.5.0",
+    "prettier": "^3.3.3",
     "tsc-alias": "^1.8.16",
+    "tsup": "^8.5.1",
     "typescript": "^5.9.3",
-    "zod": ">=4.0",
-    "@simplewebauthn/server": "^13.1.1"
+    "zod": ">=4.0"
   },
   "publishConfig": {
     "access": "public"
   }
-}
+}

package/dist/adapters/memoryAuth.d.ts

@@ -1,46 +0,0 @@
-import type { AuthAdapter } from "../lib/authAdapter";
-import type { SessionMetadata, SessionInfo } from "../lib/session";
-/** Reset all in-memory state. Useful for test isolation. */
-export declare const clearMemoryStore: () => void;
-export declare const memoryAuthAdapter: AuthAdapter;
-export declare const memoryCreateSession: (userId: string, token: string, sessionId: string, metadata?: SessionMetadata) => void;
-export declare const memoryGetSession: (sessionId: string) => string | null;
-export declare const memoryDeleteSession: (sessionId: string) => void;
-export declare const memoryGetUserSessions: (userId: string) => SessionInfo[];
-export declare const memoryGetActiveSessionCount: (userId: string) => number;
-export declare const memoryEvictOldestSession: (userId: string) => void;
-export declare const memoryUpdateSessionLastActive: (sessionId: string) => void;
-export declare const memoryGetSessionFingerprint: (sessionId: string) => string | null;
-export declare const memorySetSessionFingerprint: (sessionId: string, fingerprint: string) => void;
-export declare const memorySetRefreshToken: (sessionId: string, refreshToken: string) => void;
-import type { RefreshResult } from "../lib/session";
-export declare const memoryGetSessionByRefreshToken: (refreshToken: string) => RefreshResult | null;
-export declare const memoryRotateRefreshToken: (sessionId: string, newRefreshToken: string, newAccessToken: string) => void;
-export declare const memoryStoreOAuthState: (state: string, codeVerifier?: string, linkUserId?: string) => void;
-export declare const memoryConsumeOAuthState: (state: string) => {
-    codeVerifier?: string;
-    linkUserId?: string;
-} | null;
-export declare const memoryGetCache: (key: string) => string | null;
-export declare const memorySetCache: (key: string, value: string, ttlSeconds?: number) => void;
-export declare const memoryDelCache: (key: string) => void;
-export declare const memoryDelCachePattern: (pattern: string) => void;
-export declare const memoryCreateVerificationToken: (token: string, userId: string, email: string, ttlSeconds: number) => void;
-export declare const memoryGetVerificationToken: (token: string) => {
-    userId: string;
-    email: string;
-} | null;
-export declare const memoryDeleteVerificationToken: (token: string) => void;
-export declare const memoryCreateResetToken: (token: string, userId: string, email: string, ttlSeconds: number) => void;
-export declare const memoryConsumeResetToken: (hash: string) => {
-    userId: string;
-    email: string;
-} | null;
-import type { OAuthCodePayload } from "../lib/oauthCode";
-export declare const memoryStoreOAuthCode: (hash: string, payload: OAuthCodePayload, ttlSeconds: number) => void;
-export declare const memoryConsumeOAuthCode: (hash: string) => OAuthCodePayload | null;
-export declare const memoryCreateDeletionCancelToken: (token: string, userId: string, jobId: string, ttlSeconds: number) => void;
-export declare const memoryConsumeDeletionCancelToken: (hash: string) => {
-    userId: string;
-    jobId: string;
-} | null;